Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Communications Privacy

Hacker Penetrates T-Mobile Systems 396

Posted by timothy
from the sounds-like-a-movie-plot dept.
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
This discussion has been archived. No new comments can be posted.

Hacker Penetrates T-Mobile Systems

Comments Filter:
  • by isometrick (817436)
    At first, I got "Nothing to see here" ... but Paris Hilton? Sounds like that guy had plenty to see ;-)
      • At first, I got "Nothing to see here" ... but Paris Hilton? Sounds like that guy had plenty to see ;-)
      Nah, everyone's already seen plenty of Paris Hilton, a few grainy cell phone camera shots aren't worth anything. ;)
  • by BoldAC (735721) on Wednesday January 12, 2005 @08:41AM (#11333982)
    Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.

    Okay, all my Karma points for a link. :)

    The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.


    As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

    • I don't understand why he asked for a proxy from this dude he had just met. Really, really stupid, especially when it turned out to be a government monitoring server.
      • by DingerX (847589) on Wednesday January 12, 2005 @09:27AM (#11334489) Journal
        Well, just because he got into T-Mobile's system doesn't mean he has a lot of friends. Sure, most young males engaged in such activities are giants of men, with beautiful girls on each arm, and the social ease of a High Commissioner after a second martini, but they're not all so smooth. Heck, he was probably overwhelmed by the fact that the Secret Service took an interest in him, and, seeing photographic evidence that the rumors of those wild "protect the currency" parties were true, figured this was a better shot at a real job than a scattershot "to whom it may concern" resume mentioning everything but the name of the nun who kicked him out for one too many links to the xmas islands on the high school web page.
      • by Tassach (137772) on Wednesday January 12, 2005 @10:07AM (#11334960)
        From the article:
        [He] even knew the agency was monitoring his own Microsoft ICQ chat account
        Come on, how frelling stupid can you be? You've got hard intel that the opposition is on to you and you don't shut down your operation? At the very least you crank up your operational security a notch or ten in that situation.

        The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.

        In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.

    • >Okay, all my Karma points for a link. :)

      If his aren't enough I'll add my own to the lot.
    • uh, blackmail? (Score:3, Interesting)

      by SuperBanana (662181)
      As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

      Um...you do realize they're blackmailing him, right?

      Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off th

    • You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.

      Try telling the old lady whose credit card was swiped that you just gave the thief a six-figure salary and a supercomputer. We neutered our intelligence community a while back because it wasn't politically correct to work with bad people. Of course, you have to associate with unsavo

  • Get Moore !?! (Score:5, Interesting)

    by rednip (186217) <rednip@NOSpam.gmail.com> on Wednesday January 12, 2005 @08:43AM (#11333998) Journal
    Most troubling...
    T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning.

    Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

    BTW, the Black Hat's email address (and online identity) is ethics@netzero.net [mailto] and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!

    • Re:Get Moore !?! (Score:4, Informative)

      by ack154 (591432) * on Wednesday January 12, 2005 @08:49AM (#11334077)
      This might be why (though there's no stating if it's the actual reason or not):
      but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation
      That would be my guess anyways.
    • Re:Get Moore !?! (Score:5, Informative)

      by lucabrasi999 (585141) on Wednesday January 12, 2005 @08:53AM (#11334119) Journal
      Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?

      RTFA:

      T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

      It appears that if you sue, you won't win.

      • Re:Get Moore !?! (Score:5, Interesting)

        by lucabrasi999 (585141) on Wednesday January 12, 2005 @08:56AM (#11334146) Journal

        As I read even more of the FA:

        According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.
        "[A]m offering reverse lookup of information for a t-mobile cell phone, by phone number at the very least, you get name, ssn, and DOB at the upper end of the information returned, you get web username/password, voicemail password, secret question/answer, sim#, IMEA#, and more," Ethics wrote.

        It appears the feds knew about this months ago.

        • "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

          Makes you wonder how many other crackers have gotten access to similar information, but weren't stupid enough to post that fact online, but went to a competitor (or the local Godfather, or the Chinese embassy) instead.

      • Under California's anti-identity theft law "SB1386,"...

        Trouble with that is, I don't live in California, if it was a federal law, then that would apply. However, I do think that most courts would say that to protect a ongoing investigation, it might be permissable for a short time. Of course it looks like the Feds held this for more than 6 months! Also, the initial breech was due to T-Mobile's lack of security.

        Personally I don't think that companies will start taking their security seriously until big

  • by randalx (659791) on Wednesday January 12, 2005 @08:43AM (#11334001)
    Didn't know Demi Moore and Paris Hilton were that good with computers.
  • by Dragoon412 (648209) on Wednesday January 12, 2005 @08:44AM (#11334013)
    Demi Moore and Paris Hilton are involved.

    Can't it just be assumed, at this point, that if there's some major event involving porn, that Paris Hilton is involved?
    • This whole thing was probably conceived to give Paris Hilton more publicity. Who cares? Why does anybody care about her?
      • by doublem (118724) on Wednesday January 12, 2005 @10:21AM (#11335131) Homepage Journal
        She's what the media says should be the "perfect" woman. According to Hollywood and fashion designers, she's ideal.

        Wealthy
        Thin to the point of being unhealthy
        High Libido
        Slutty
        Blond
        Dumb as a post.

        As a result, the media HAS to go nuts about her, because toothpicks like her are the kind of trash they've been throwing at us for ages.
  • does it really exist?

  • Why am I not surprised?
  • by Anonymous Coward on Wednesday January 12, 2005 @08:47AM (#11334058)
    http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt
  • by Vollernurd (232458) on Wednesday January 12, 2005 @08:48AM (#11334060)
    Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.
    • by lucabrasi999 (585141) on Wednesday January 12, 2005 @09:07AM (#11334256) Journal
      I would have though that they would not have used a commercial network service like that.

      In other news, The President had to be reminded (again) that the White House Lobby Pay Phone should not be used to call Ariel Sharon.

    • by fizban (58094) <fizban@umich.edu> on Wednesday January 12, 2005 @09:14AM (#11334324) Homepage
      Hello? Welcome to the United States. The internet infrastructure is built and controlled by companies. It's not like our government agencies have their own internet. If a Secret Service Agent needs to send an email to the home office, he'll pick up his sidekick, his Blackberry, his Palm, his laptop, etc., connect to a service provider like T-mobile, Verizon, Comcast, etc. and send his message or store his files. Probably encrypted, but maybe not always if it's not a considered a very sensitive communication.

      A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.
      • It's not like our government agencies have their own internet.


        So, MILNET doesn't exist any more?
        • A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware
      • "Surely the Secret Service would encrypt anything important?"

        Probably encrypted, but maybe not always if it's not a considered a very sensitive communication.

        FTFA:

        Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to

        sensitive agency documents that were circulating in underground IRC chat rooms.

        I think the grandparent has a point. Maybe not use their own dedicated network, but there is certainly emai

    • I don't know what they're complaining about. I thought we weren't supposed to have an "expectation of privacy" with email. So it's legal to read anyones email without violating their privacy right?
      • I've said it before, and I'll say it again, no matter how much it makes me look like a tin-foil paranoid: You have no privacy on the Internet and assuming that you do is foolish. Yes, you can use things like GnuPG to encrypt your email, but just about anyone can grab the ciphertext off of the mail server or while it is in transit. You can use SSL to submit a webform, but someone can get at the encrypted stream sent to the server. Assuming that you have anything worth knowing that is worth more than the c
  • The News (Score:5, Insightful)

    by DrugCheese (266151) on Wednesday January 12, 2005 @08:50AM (#11334086)
    I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.

    Some days I'm proud to be american, but then the drugs wear off.

  • Why are secret service members sending out e-mail from unsecured wireless access points?
  • by dnno (773903) <clj.dnno@[ ]il.com ['gma' in gap]> on Wednesday January 12, 2005 @08:53AM (#11334112) Homepage Journal
    Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
    • by Maestro4k (707634) on Wednesday January 12, 2005 @09:35AM (#11334580) Journal
      • Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
      If you'd RTFA, you'd know that many of things he had access to were important, sensitive and, in an ideal world, should have been encrypted. One good question the article didn't ask is why'd the secret service agent send these things unencrypted over a monitorable network? Personally I'd like to know that he had been disciplined for allowing this security breach to occur.
  • by HawkinsD (267367) on Wednesday January 12, 2005 @08:54AM (#11334124)
    FA says that he was offering ssn, dob, passwords, etc. for sale.

    So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

    Who performs first? Are there criminal escrow services?

    And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

    Is there something I'm missing here?

    No, really.

    • And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

      Well, it might have been stupid on his part, but he was smarter than the SS agent that used a public mobile network to transmit files.

    • E-Gold, maybe? I'm sure there are others offering "untraceable" cash transfers. Probably cash in an envelope works too.
    • are there any escrow services that aren't criminal?
    • and how many non-stupid people out there still have this access?

      After all, they only caught him after he tried to sell the stuff, not through any security monitoring.

      The smart money would have been on selling the demi moore etc pics; what secret service agent is going to investigate where some paparazzi pics came from?

    • by oobob (715122) * on Wednesday January 12, 2005 @09:49AM (#11334747)
      So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

      Who performs first? Are there criminal escrow services?


      This page [securityfocus.com], linked in the posted article, has some explanation about how they traded:

      "The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.

      Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..

      Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."

      And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?

      Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.

      Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?

      The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
    • So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?

      Some people launder money through online poker games. Invite your buyer to a game and have them "lose" some money to you. Internet gambling companies are usually based in offshore banking havens, making it difficult for the authorities to scrutinize your transaction. (I'd never do this myself, of course.)

  • Hmm... (Score:5, Insightful)

    by 404 Clue Not Found (763556) on Wednesday January 12, 2005 @08:55AM (#11334133)
    So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

    I mean, it's not like he found a flaw and just experimented with it briefly. He deliberately exploited it over the course of a year and even attempted to profit from it. Doesn't that seem... wrong?

    I understand that he would be very useful to the investigators, but what about the victims? Were there actually any? Were they affected? If so, it sure seems like the punishment was rather light. Almost encourages people to try the same thing. Is the message here "crime pays, as long as you work for the government once you're caught"?

    On the other hand, how can he work as a mole when so much about his identity is already revealed? If the entire world now knows his name, has access to his resume, etc., isn't he at great risk of being identified?

    And it's not just him... with all the information revealed in the news article, how can the SS's original snitch stay hidden? Wouldn't whatever hackers he made contact with obviously know who he is, now?

    It's almost like watching a spy movie. Heh, well, what do I know. It all just seemed rather strange to an outsider like me, but I must admit I don't know how these things usually work. Someone wanna explain?

    Also, it was interesting that they called ICQ "Microsoft ICQ". Just a mistake or did MS secretly buy AOL?
    • Re:Hmm... (Score:3, Insightful)

      by phats garage (760661)
      What, you're somehow expecting corporations and governments to be non-evil?
    • I noticed the Microsoft ICQ point, too. Seems like the reporter made a mistake there. I'm also not sure the term "honeypot [wikipedia.org]" is appropriate.
    • Re:Hmm... (Score:4, Interesting)

      by pegr (46683) * on Wednesday January 12, 2005 @09:18AM (#11334378) Homepage Journal
      So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

      If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...
    • Are you new here? (Score:5, Insightful)

      by copponex (13876) on Wednesday January 12, 2005 @09:29AM (#11334512) Homepage
      Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.

      This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.

      Get used to it.
      • On the other hand, how can he work as a mole when so much about his identity is already revealed? If the entire world now knows his name, has access to his resume, etc., isn't he at great risk of being identified?

      Not really, this stuff all takes place online in forums and IRC so all he has to do is create new identities and work his back into the scene. If he does get exposed, just lather, rinse, repeat. I'm sure the secret service can make sure he has plenty of different IPs to come from to help him

      • Re:Hmm... (Score:3, Funny)

        by Cyn (50070)
        --> Johanne (urarrested@ARN-34.i_am_from_the_united_states_sec ret_service.gov)
        Hello fellow criminals. Let's do crime.
    • Re:Hmm... (Score:3, Insightful)

      by dr_dank (472072)
      So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?

      The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identi
  • by motherjoe (716821) on Wednesday January 12, 2005 @08:55AM (#11334140)
    Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?

    What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?

    Are Gov IT cutbacks so severe they have to turn to places like this to send messages?

    • ...one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

      They were monitoring sites that did illegal business and found out about this.
    • Argh! RTFA.

      The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick

      The agent mentioned here, Cavicchia, was an "early adopter".

      With all the money that USSS has, I'd hope they'd develop some custom encryption solutions for their Sidekicks and Blackberries, if they indeed find them useful.

      • I don't believe Sidekicks have anything - aren't they just dump pop3/imap devices?

        Blackberries encrypt the data on the device, send it to the cellular network, to blackberry and back, IIRC (I believe blackberry acts as the routing between the different networks hostings its devices - i.e, nextel vs tmobile, etc)

        ostiguy
    • Surprisingly perhaps, the US government doesn't have a nationwide (if you can call T-Mobile nationwide) wireless network available. If they did, I'm sure they wouldn't use T-Mobile to send messages. I'm also pretty sure that they encrypt anything sensitive. These are just your standard bureaucratic e-mails going back and forth.

      Do you really think the US Government should build up a cellular-like network for its own use? Now, I wouldn't mind if they would put up some towers in the middle of nowhere so my re

  • Ohh, well... that makes it terribly important then!
  • I'm a T-Mobile customer (not for long, after this).

    I already sent them a nastygram over this. What kind of irresponsible piece of s*** company not let their customers know all their information is in the hands of a hacker???
  • by davetrainer (587868) * <slashdot@NOsPAm.davetrainer.com> on Wednesday January 12, 2005 @09:01AM (#11334192)
    "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly
    selling a copy of Microsoft's leaked source code for $20.00."

    I hope it came with an 18-dollar bill.

  • T-Mobile Security (Score:2, Informative)

    by GJSchaller (198865)
    My guess is that the Secret Service was using Blackberries, which uses encrypted transmissions between the Blackberry server and the device, and even multiple encryptions, if I remember correctly (one for the message, one for the Wireless). I doubt that they were stupid enough to use unencrpyted service, when regular non-Govt. customers can have encryption (We have it here at our job on our BBs). Note that they say "emails" and not "SMS" or "Text Messages."
  • Cue in virus spreading under the pretense of Paris' new nude haxx0red pictures in five, four, three, two...

    Most impressive that it took them a year to find him, and unsirprisingly they catched him when he tried to make a mint out of his exploiting. Remember kiddies, bragging is not good for you.
  • The chairman of the FCC Michael "I have no idea what the public interest is" Powell is right on the case making sure your privacy is protected.

    Bank on it.
  • Gets ya thinking... (Score:3, Interesting)

    by jchawk (127686) on Wednesday January 12, 2005 @09:13AM (#11334305) Homepage Journal
    You know it seems like the reason this guy got caught was because he was sloppy with his own identity online... If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.

    I think he let his greed / ego get in the way when trying to offload this information that he obtained.

    This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/
    • If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.

      I find it unlikely that T-Mobile didn't know who was doing the work in a very short matter of time. It's likely that they knew within a few months and were simply gathering enough information to present a compelling case against him. If they wanted to use the patriot act against him they have to turn it over to the FBI, who also takes a long time.

      I find it
    • by twitter (104583)
      This really makes you wonder about the guys you never hear about, the ones that don't get caught. :-/

      I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.

      The article links to a 2001 resume [securityfocus.com] which never mentions GNU and only once mentions Unix but lots of Windozed

  • standards board (Score:4, Insightful)

    by shameus_burp (848522) on Wednesday January 12, 2005 @09:16AM (#11334345)
    Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?
    • Re:standards board (Score:2, Insightful)

      by nberardi (199555) *
      I agree that T-Mobile should be fined for the lack of security and anybody that has a T-Mobile should be able to drop the account with out the early fees. But setting up another level of bueracracy to do something is never the answer, and the data was probably protected by some kind of standards. But as we have seen in the last week even an Open Standard such as Linux has holes in it. I don't know what T-Mobile uses, but this problem was due to a whole in security not a lack of security.

      There is always
  • Penetration definitely occurred. And not just to T-Mobile.

    Pretty much anyone who uses that services got "Penetrated" pretty well -- and if you weren't doing your work over a good vpn with encryption, well, lets just say that it probably hurt.
  • Oh well that's a relief... had access to social security numbers, but not credit cards... weeeeeee.. I'm put at ease now...
  • For an article at a technical security forum there seems to be a lot more attention paid to personality, law enforcement and celebrity than the actual issue of security. I gave up on reading bugtraq a few years ago when a series of ego clashes and flame wars drove the message volume up and the s/n ratio down - looks like I haven't missed out on anything if this sort of article passes for news there these days.
  • by CastrTroy (595695)
    Why isn't the secret service encrypting their email? The technology to do this has been around almost as long as email itself? Don't trust someone elses system to keep your unencrypted information private.
  • A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.

    First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal inform

  • by maharg (182366) on Wednesday January 12, 2005 @10:44AM (#11335441) Homepage Journal
    .. now *that* would be a story ;o)
  • by Spy der Mann (805235) <spydermann.slashdot@NOspam.gmail.com> on Wednesday January 12, 2005 @11:56AM (#11336492) Homepage Journal
    as its weakest link.

    (This event could be called "backdoor", couldn't it?)

Possessions increase to fill the space available for their storage. -- Ryan

Working...